Firewall rules using SELinux context (Was Re: RFE: FireKit)
Gregory Maxwell
gmaxwell at gmail.com
Fri Jul 24 23:22:42 UTC 2009
On Fri, Jul 24, 2009 at 5:49 PM, Roland McGrath<roland at redhat.com> wrote:
> So I think most of us in this discussion probably don't actually understand
> SECMARK. I sure didn't. I think I might now, sort of. The SELinux policy
> just says contexts, and it doesn't say anything about the port numbers.
> The point of SECMARK is that you write port-matching rules that are what
> sets the context on those packets. You have to write those rules by hand
> (or somehow) or else there just aren't ever any packets anywhere that are
> marked with the right context so they match the SELinux policy for what the
> given daemon is allowed to see.
>
> So I think what one really wants is just a better level of admin/packaging
> coordination. That is, you would really like to write in one place both
> the SELinux policy and the port numbers (i.e. iptables matching rules) you
[snip]
Not just port numbers.
For example. I might want to confine CUPS to only speak to localhost
and 192.168.1.1/32; 192.168.10.1/32; 192.168.15.3/32, so that if
something running as cups_t is compromised it can only talk to my
print servers and not phone home or get messages from an external
botnet controller.
I think SECMARK can do this, but I think that it would require me to
change the SE linux policy to only allow cups_t to touch cups marked
packets. I think this would be much easier to administer as pure
firewall rules, i.e.
-S 192.168.1.1/32 --dctx cups_t -j ACCEPT
...
--dctx cups_t -j REJECT
--sctx cups_t -D 192.168.1.1/32 -j ACCEPT
--sctx cups_t -j REJECT
As far as I can tell the only way to get the same general behavior
from SECMARK is it to make the SELINUX policy require the marking then
have a bunch of marking rules. Then your apps break if the firewall
is not activated. I consider this a bootstrapping problem.
I'm also not sure how you could achieve multiple contexts being
permitted to access a particular set of traffic using secmark nor can
I figure out how you could accomplish the output side.
More information about the fedora-devel-list
mailing list